From 75501f5ede68cbcc9651ed17c5eaee2bf31d6a00 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 8 Jan 2024 16:49:17 +0100 Subject: [PATCH 01/53] psa_util: add raw<->DER ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 36 +++++++ library/psa_util.c | 205 +++++++++++++++++++++++++++++++++++++ 2 files changed, 241 insertions(+) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 47724c633..912179ba8 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -176,6 +176,42 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK); } +#if defined(MBEDTLS_ASN1_WRITE_C) +/** Convert an ECDSA signature from raw format to DER ASN.1 one. + * + * \param raw Buffer that contains the signature in raw format. + * \param raw_len Length of raw buffer in bytes + * \param[out] der Buffer that will be filled with the converted DER + * output. It can overlap with raw buffer. + * \param der_size Size of the output der buffer in bytes. + * \param[out] der_len On success it contains the amount of valid data + * (in bytes) written to der buffer. It's undefined + * in case of failure. + * \param bits Size of each raw coordinate in bits. + */ +int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len, + size_t bits); +#endif /* MBEDTLS_ASN1_WRITE_C */ + +#if defined(MBEDTLS_ASN1_PARSE_C) +/** Convert an ECDSA signature from DER ASN.1 format to raw. + * + * \param der Buffer that contains the signature in DER format. + * \param der_len Size of the der buffer in bytes. + * \param[out] raw Buffer that will be filled with the converted raw + * signature. It can overlap with der buffer. + * \param raw_size Size of the raw buffer in bytes. + * \param[out] raw_len On success it is updated with the amount of valid + * data (in bytes) written to raw buffer. It's undefined + * in case of failure. + * \param bits Size of each raw coordinate in bits. + */ +int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len, + size_t bits); +#endif /* MBEDTLS_ASN1_PARSE_C */ + /**@}*/ #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/psa_util.c b/library/psa_util.c index 41586e262..2c35db010 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -40,6 +40,10 @@ #if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA) #include #endif +#if defined(MBEDTLS_ASN1_WRITE_C) +#include +#include +#endif /* PSA_SUCCESS is kept at the top of each error table since * it's the most common status when everything functions properly. */ @@ -330,4 +334,205 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, } #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ +#if defined(MBEDTLS_ASN1_WRITE_C) +/* + * Convert a single raw coordinate to DER ASN.1 format. + * Note: this function is similar to mbedtls_asn1_write_mpi(), but it doesn't + * depend on BIGNUM_C. + * Note: this function fills der_buf backward. + */ +static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t raw_len, + unsigned char *der_buf_start, + unsigned char *der_buf_end) +{ + unsigned char *p = der_buf_end; + int len = raw_len; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + /* Copy the raw coordinate to the end of der_buf. */ + if ((p - der_buf_start) < len) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + p -= len; + memcpy(p, raw_buf, len); + + /* ASN.1 DER encoding requires minimal length, so skip leading 0s. + * Provided input MPIs should not be 0, but as a failsafe measure, still + * detect that and return error in case. */ + while (*p == 0x00) { + ++p; + --len; + if (len == 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } + } + + /* If MSb is 1, ASN.1 requires that we prepend a 0. */ + if (*p & 0x80) { + if ((p - der_buf_start) < 1) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + --p; + *p = 0x00; + ++len; + } + + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der_buf_start, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der_buf_start, MBEDTLS_ASN1_INTEGER)); + + return len; +} + +int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len, + size_t bits) +{ + unsigned char r[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; + unsigned char s[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; + const size_t coordinate_len = PSA_BITS_TO_BYTES(bits); + size_t len = 0; + unsigned char *p = der + der_size; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + if (raw_len < 2 * coordinate_len) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } + + /* Since raw and der buffers might overlap, dump r and s before starting + * the conversion. */ + memset(r, 0, sizeof(r)); + memcpy(r, raw, coordinate_len); + memset(s, 0, sizeof(s)); + memcpy(s, raw + coordinate_len, coordinate_len); + + /* der buffer will initially be written starting from its end so we pick s + * first and then r. */ + ret = convert_raw_to_der_single_int(s, coordinate_len, der, p); + if (ret < 0) { + return ret; + } + p -= ret; + len += ret; + + ret = convert_raw_to_der_single_int(r, coordinate_len, der, p); + if (ret < 0) { + return ret; + } + p -= ret; + len += ret; + + /* Add ASN.1 header (len + tag). */ + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, der, len)); + MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, der, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)); + + /* memmove the content of der buffer to its beginnig. */ + memmove(der, p, len); + *der_len = len; + + return 0; +} +#endif /* MBEDTLS_ASN1_WRITE_C */ + +#if defined(MBEDTLS_ASN1_PARSE_C) +/* + * Convert a single integer from ASN.1 DER format to raw. + * Note: der and raw buffers are not overlapping here. + */ +static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_len, + size_t coordinate_size) +{ + unsigned char *p = der; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t unpadded_len, padding_len = 0; + + /* Get the length of ASN.1 element (i.e. the integer we need to parse). */ + ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len, + MBEDTLS_ASN1_INTEGER); + if (ret != 0) { + return ret; + } + + /* Skip leading zeros */ + while (*p == 0x00) { + p++; + unpadded_len--; + /* It should never happen that the input number is all zeros. */ + if (unpadded_len == 0) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + } + + if (raw_len < coordinate_size) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + if (unpadded_len < coordinate_size) { + padding_len = coordinate_size - unpadded_len; + memset(raw, 0x00, padding_len); + } + memcpy(raw + padding_len, p, unpadded_len); + p += unpadded_len; + + return (int) (p - der); +} + +int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len, + size_t bits) +{ + unsigned char raw_tmp[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE]; + unsigned char *p = (unsigned char *) der; + size_t data_len; + size_t coordinate_size = PSA_BITS_TO_BYTES(bits); + int ret; + + /* The output raw buffer should be at least twice the size of a raw + * coordinate in order to store r and s. */ + if (raw_size < coordinate_size * 2) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + + /* Check that the provided input DER buffer has the right header. */ + ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + if (ret != 0) { + return ret; + } + + memset(raw_tmp, 0, sizeof(raw_tmp)); + + /* Extract r */ + ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, sizeof(raw_tmp), + coordinate_size); + if (ret < 0) { + return ret; + } + p += ret; + data_len -= ret; + + /* Extract s */ + ret = convert_der_to_raw_single_int(p, data_len, raw_tmp + coordinate_size, + sizeof(raw_tmp) - coordinate_size, + coordinate_size); + if (ret < 0) { + return ret; + } + p += ret; + data_len -= ret; + + /* Check that we consumed all the input der data. */ + if ((p - der) != (int) der_len) { + return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + } + + memcpy(raw, raw_tmp, 2 * coordinate_size); + *raw_len = 2 * coordinate_size; + + return 0; +} +#endif /* MBEDTLS_ASN1_PARSE_C */ + #endif /* MBEDTLS_PSA_CRYPTO_C */ From bd5b9c61fec431c305416cf851d2ac31ac69df6d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 8 Jan 2024 16:49:48 +0100 Subject: [PATCH 02/53] pk_wrap: use PSA util functions for ECDSA conversion instead of PK ones Signed-off-by: Valerio Setti --- library/pk_wrap.c | 175 ++++++---------------------------------------- 1 file changed, 21 insertions(+), 154 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index c23265022..9a29d929e 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -29,6 +29,7 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa_util_internal.h" #include "psa/crypto.h" +#include "mbedtls/psa_util.h" #if defined(MBEDTLS_RSA_C) #include "pkwrite.h" @@ -536,66 +537,6 @@ static size_t eckey_get_bitlen(mbedtls_pk_context *pk) #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) #if defined(MBEDTLS_USE_PSA_CRYPTO) -/* - * An ASN.1 encoded signature is a sequence of two ASN.1 integers. Parse one of - * those integers and convert it to the fixed-length encoding expected by PSA. - */ -static int extract_ecdsa_sig_int(unsigned char **from, const unsigned char *end, - unsigned char *to, size_t to_len) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t unpadded_len, padding_len; - - if ((ret = mbedtls_asn1_get_tag(from, end, &unpadded_len, - MBEDTLS_ASN1_INTEGER)) != 0) { - return ret; - } - - while (unpadded_len > 0 && **from == 0x00) { - (*from)++; - unpadded_len--; - } - - if (unpadded_len > to_len || unpadded_len == 0) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; - } - - padding_len = to_len - unpadded_len; - memset(to, 0x00, padding_len); - memcpy(to + padding_len, *from, unpadded_len); - (*from) += unpadded_len; - - return 0; -} - -/* - * Convert a signature from an ASN.1 sequence of two integers - * to a raw {r,s} buffer. Note: the provided sig buffer must be at least - * twice as big as int_size. - */ -static int extract_ecdsa_sig(unsigned char **p, const unsigned char *end, - unsigned char *sig, size_t int_size) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t tmp_size; - - if ((ret = mbedtls_asn1_get_tag(p, end, &tmp_size, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { - return ret; - } - - /* Extract r */ - if ((ret = extract_ecdsa_sig_int(p, end, sig, int_size)) != 0) { - return ret; - } - /* Extract s */ - if ((ret = extract_ecdsa_sig_int(p, end, sig + int_size, int_size)) != 0) { - return ret; - } - - return 0; -} - /* Common helper for ECDSA verify using PSA functions. */ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, psa_ecc_family_t curve, size_t curve_bits, @@ -607,6 +548,7 @@ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY; size_t signature_len = PSA_ECDSA_SIGNATURE_SIZE(curve_bits); + size_t converted_sig_len; unsigned char extracted_sig[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE]; unsigned char *p; psa_status_t status; @@ -631,11 +573,15 @@ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, } p = (unsigned char *) sig; - /* extract_ecdsa_sig's last parameter is the size - * of each integer to be parsed, so it's actually half - * the size of the signature. */ - if ((ret = extract_ecdsa_sig(&p, sig + sig_len, extracted_sig, - signature_len/2)) != 0) { + ret = mbedtls_ecdsa_der_to_raw(p, sig_len, extracted_sig, + sizeof(extracted_sig), &converted_sig_len, + curve_bits); + if (ret != 0) { + goto cleanup; + } + + if (converted_sig_len != signature_len) { + ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; goto cleanup; } @@ -646,10 +592,6 @@ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, goto cleanup; } - if (p != sig + sig_len) { - ret = MBEDTLS_ERR_PK_SIG_LEN_MISMATCH; - goto cleanup; - } ret = 0; cleanup: @@ -751,90 +693,6 @@ static int ecdsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) #if defined(MBEDTLS_USE_PSA_CRYPTO) -/* - * Simultaneously convert and move raw MPI from the beginning of a buffer - * to an ASN.1 MPI at the end of the buffer. - * See also mbedtls_asn1_write_mpi(). - * - * p: pointer to the end of the output buffer - * start: start of the output buffer, and also of the mpi to write at the end - * n_len: length of the mpi to read from start - */ -static int asn1_write_mpibuf(unsigned char **p, unsigned char *start, - size_t n_len) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len = 0; - - if ((size_t) (*p - start) < n_len) { - return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; - } - - len = n_len; - *p -= len; - memmove(*p, start, len); - - /* ASN.1 DER encoding requires minimal length, so skip leading 0s. - * Neither r nor s should be 0, but as a failsafe measure, still detect - * that rather than overflowing the buffer in case of a PSA error. */ - while (len > 0 && **p == 0x00) { - ++(*p); - --len; - } - - /* this is only reached if the signature was invalid */ - if (len == 0) { - return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; - } - - /* if the msb is 1, ASN.1 requires that we prepend a 0. - * Neither r nor s can be 0, so we can assume len > 0 at all times. */ - if (**p & 0x80) { - if (*p - start < 1) { - return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; - } - - *--(*p) = 0x00; - len += 1; - } - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, start, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, start, - MBEDTLS_ASN1_INTEGER)); - - return (int) len; -} - -/* Transcode signature from PSA format to ASN.1 sequence. - * See ecdsa_signature_to_asn1 in ecdsa.c, but with byte buffers instead of - * MPIs, and in-place. - * - * [in/out] sig: the signature pre- and post-transcoding - * [in/out] sig_len: signature length pre- and post-transcoding - * [int] buf_len: the available size the in/out buffer - */ -static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len, - size_t buf_len) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len = 0; - const size_t rs_len = *sig_len / 2; - unsigned char *p = sig + buf_len; - - MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig + rs_len, rs_len)); - MBEDTLS_ASN1_CHK_ADD(len, asn1_write_mpibuf(&p, sig, rs_len)); - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&p, sig, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&p, sig, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)); - - memmove(sig, p, len); - *sig_len = len; - - return 0; -} - /* Common helper for ECDSA sign using PSA functions. * Instead of extracting key's properties in order to check which kind of ECDSA * signature it supports, we try both deterministic and non-deterministic. @@ -845,6 +703,15 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_status_t status; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + size_t key_bits = 0; + + status = psa_get_key_attributes(key_id, &key_attr); + if (status != PSA_SUCCESS) { + return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); + } + key_bits = psa_get_key_bits(&key_attr); + psa_reset_key_attributes(&key_attr); status = psa_sign_hash(key_id, PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)), @@ -863,7 +730,7 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, } done: - ret = pk_ecdsa_sig_asn1_from_psa(sig, sig_len, sig_size); + ret = mbedtls_ecdsa_raw_to_der(sig, sig_size, sig, sig_size, sig_len, key_bits); return ret; } From aed21640bdc3a6a4c3ddbbfe7bbb24e60544ee8d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 8 Jan 2024 16:50:30 +0100 Subject: [PATCH 03/53] test_suite_psa_crypto_util: add test function and data for ECDSA conversion functions Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 71 +++++++++++++++++++ .../test_suite_psa_crypto_util.function | 44 ++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 tests/suites/test_suite_psa_crypto_util.data create mode 100644 tests/suites/test_suite_psa_crypto_util.function diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data new file mode 100644 index 000000000..ce942c841 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -0,0 +1,71 @@ +ECDSA Raw -> DER, 192bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":0 + +ECDSA Raw -> DER, 192bit, Raw data too short +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"0101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 192bit, DER buffer too small +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"30340218010101010101010101010101010101010101010101010101":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA Raw -> DER, 192bit, Null r +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"000000000000000000000000000000000000000000000000020202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 192bit, Null s +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101000000000000000000000000000000000000000000000000":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 192bit, r with MSb set +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"810101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"30350219008101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":0 + +ECDSA Raw -> DER, 192bit, s with MSb set +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101820202020202020202020202020202020202020202020202":"30350218010101010101010101010101010101010101010101010101021900820202020202020202020202020202020202020202020202":0 + +ECDSA DER -> Raw, 192bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":0 + +ECDSA DER -> Raw, 192bit, Raw buffer too small +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"0101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA DER -> Raw, 192bit, Wrong sequence tag +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"403402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 192bit, Invalid sequence length +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"30FF02180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_LENGTH + +ECDSA DER -> Raw, 192bit, Wrong integer tag +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303401180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 192bit, Wrong r integer length (too small) +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402170101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 192bit, Wrong r integer length (too large) +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402190101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 192bit, Wrong s integer length (too small) +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010217020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +ECDSA DER -> Raw, 192bit, Wrong s integer length (too large) +depends_on:PSA_WANT_ECC_SECP_R1_192 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010219020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_OUT_OF_DATA + +ECDSA Raw -> DER, 256bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"01010101010101010101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202020202020202020202":"30440220010101010101010101010101010101010101010101010101010101010101010102200202020202020202020202020202020202020202020202020202020202020202":0 + +ECDSA DER -> Raw, 256bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220010101010101010101010101010101010101010101010101010101010101010102200202020202020202020202020202020202020202020202020202020202020202":"01010101010101010101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202020202020202020202":0 diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function new file mode 100644 index 000000000..2a990733f --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -0,0 +1,44 @@ +/* BEGIN_HEADER */ +#include +#include +#include +#include + +enum { + ECDSA_RAW_TO_DER = 0, + ECDSA_DER_TO_RAW, +}; +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_ASN1_WRITE_C:MBEDTLS_ASN1_PARSE_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void ecdsa_raw_to_der(int direction, int key_bits, data_t *input, data_t *exp_result, int exp_ret) +{ + unsigned char *tmp_buf = NULL; + size_t tmp_buf_len = exp_result->len; + size_t ret_len; + + TEST_CALLOC(tmp_buf, tmp_buf_len); + + if (direction == ECDSA_RAW_TO_DER) { + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len, + key_bits), exp_ret); + } else { + TEST_EQUAL(mbedtls_ecdsa_der_to_raw(input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len, + key_bits), exp_ret); + } + + if (exp_ret == 0) { + ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); + } + +exit: + mbedtls_free(tmp_buf); +} +/* END_CASE */ From 84890c9be29e58bc3b7b9d3ed187bc64fa56e450 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 9 Jan 2024 14:20:23 +0100 Subject: [PATCH 04/53] psa_util: improve description for ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 6 +++-- library/psa_util.c | 51 +++++++++++++++++++++++++++++++------- 2 files changed, 46 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 912179ba8..ea0d5bb0d 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -177,7 +177,8 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa } #if defined(MBEDTLS_ASN1_WRITE_C) -/** Convert an ECDSA signature from raw format to DER ASN.1 one. +/** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 + * format (used by legacy crypto APIs). * * \param raw Buffer that contains the signature in raw format. * \param raw_len Length of raw buffer in bytes @@ -195,7 +196,8 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, #endif /* MBEDTLS_ASN1_WRITE_C */ #if defined(MBEDTLS_ASN1_PARSE_C) -/** Convert an ECDSA signature from DER ASN.1 format to raw. +/** Convert an ECDSA signature from DER ASN.1 format (used by legacy crypto + * APIs) to raw format (used by PSA APIs). * * \param der Buffer that contains the signature in DER format. * \param der_len Size of the der buffer in bytes. diff --git a/library/psa_util.c b/library/psa_util.c index 2c35db010..e16971bc5 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -335,11 +335,25 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ #if defined(MBEDTLS_ASN1_WRITE_C) -/* - * Convert a single raw coordinate to DER ASN.1 format. - * Note: this function is similar to mbedtls_asn1_write_mpi(), but it doesn't - * depend on BIGNUM_C. - * Note: this function fills der_buf backward. +/** + * \brief Convert a single raw coordinate to DER ASN.1 format. The output der + * buffer is filled backward (i.e. starting from its end). + * + * \param raw_buf Buffer containing the raw coordinate to be + * converted. + * \param raw_len Length of raw_buf in bytes. + * \param der_buf_start Pointer to the beginning of the buffer which + * will be filled with the DER converted data. + * \param der_buf_end End of the buffer used to store the DER output. + * + * \return On success, the amount of data (in bytes) written to + * the DER buffer. + * \return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if the provided der + * buffer is too small to contain all the converted data. + * \return MBEDTLS_ERR_ASN1_INVALID_DATA if the input raw + * coordinate is null (i.e. all zeros). + * + * \warning Raw and der buffer must not be overlapping. */ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t raw_len, unsigned char *der_buf_start, @@ -436,9 +450,28 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, #endif /* MBEDTLS_ASN1_WRITE_C */ #if defined(MBEDTLS_ASN1_PARSE_C) -/* - * Convert a single integer from ASN.1 DER format to raw. - * Note: der and raw buffers are not overlapping here. +/** + * \brief Convert a single integer from ASN.1 DER format to raw. + * + * \param der Buffer containing the DER integer value to be + * converted. + * \param der_len Length of the der buffer in bytes. + * \param raw Output buffer that will be filled with the + * converted data. This should be at least + * coordinate_size bytes. + * \param raw_len Size (in bytes) of the output raw buffer. + * \param coordinate_size Size (in bytes) of a single coordinate in raw + * format. + * + * \return On success, the amount of DER data parsed from the + * provided der buffer. + * \return MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if the integer tag + * is missing in the der buffer. + * \return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH if the integer + * is null (i.e. all zeros) or if the output raw buffer + * is too small to contain the converted raw value. + * + * \warning Der and raw buffers must not be overlapping. */ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, unsigned char *raw, size_t raw_len, @@ -466,7 +499,7 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } if (raw_len < coordinate_size) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; + return ERR_ASN1_BUF_TOO_SMALL; } if (unpadded_len < coordinate_size) { From 5713c8a5ac38990dc3747dc10b50a3b54a35a0c6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 9 Jan 2024 15:48:37 +0100 Subject: [PATCH 05/53] psa_util: minor code improvements Signed-off-by: Valerio Setti --- library/psa_util.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index e16971bc5..c257d7593 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -414,9 +414,7 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, /* Since raw and der buffers might overlap, dump r and s before starting * the conversion. */ - memset(r, 0, sizeof(r)); memcpy(r, raw, coordinate_len); - memset(s, 0, sizeof(s)); memcpy(s, raw + coordinate_len, coordinate_len); /* der buffer will initially be written starting from its end so we pick s @@ -481,6 +479,10 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t unpadded_len, padding_len = 0; + if (raw_len < coordinate_size) { + return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; + } + /* Get the length of ASN.1 element (i.e. the integer we need to parse). */ ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len, MBEDTLS_ASN1_INTEGER); @@ -498,10 +500,6 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } } - if (raw_len < coordinate_size) { - return ERR_ASN1_BUF_TOO_SMALL; - } - if (unpadded_len < coordinate_size) { padding_len = coordinate_size - unpadded_len; memset(raw, 0x00, padding_len); @@ -557,7 +555,7 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, data_len -= ret; /* Check that we consumed all the input der data. */ - if ((p - der) != (int) der_len) { + if ((size_t) (p - der) != der_len) { return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; } From bda440f82da4fe20b7e3bfc0f0d9ae66fe8a9442 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 08:16:50 +0100 Subject: [PATCH 06/53] test_suite_psa_crypto_util: increase the size of tested integers - Replace 192 case with 256 - Replace 256 case with 512 - Add 521 case Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 142 ++++++++++--------- 1 file changed, 76 insertions(+), 66 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index ce942c841..8598a4ef1 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -1,71 +1,81 @@ -ECDSA Raw -> DER, 192bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":0 - -ECDSA Raw -> DER, 192bit, Raw data too short -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"0101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA - -ECDSA Raw -> DER, 192bit, DER buffer too small -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"30340218010101010101010101010101010101010101010101010101":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL - -ECDSA Raw -> DER, 192bit, Null r -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"000000000000000000000000000000000000000000000000020202020202020202020202020202020202020202020202":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA - -ECDSA Raw -> DER, 192bit, Null s -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101000000000000000000000000000000000000000000000000":"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_DATA - -ECDSA Raw -> DER, 192bit, r with MSb set -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"810101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":"30350219008101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":0 - -ECDSA Raw -> DER, 192bit, s with MSb set -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:192:"010101010101010101010101010101010101010101010101820202020202020202020202020202020202020202020202":"30350218010101010101010101010101010101010101010101010101021900820202020202020202020202020202020202020202020202":0 - -ECDSA DER -> Raw, 192bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":0 - -ECDSA DER -> Raw, 192bit, Raw buffer too small -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"0101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL - -ECDSA DER -> Raw, 192bit, Wrong sequence tag -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"403402180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -ECDSA DER -> Raw, 192bit, Invalid sequence length -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"30FF02180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_INVALID_LENGTH - -ECDSA DER -> Raw, 192bit, Wrong integer tag -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303401180101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -ECDSA DER -> Raw, 192bit, Wrong r integer length (too small) -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402170101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -ECDSA DER -> Raw, 192bit, Wrong r integer length (too large) -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402190101010101010101010101010101010101010101010101010218020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -ECDSA DER -> Raw, 192bit, Wrong s integer length (too small) -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010217020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -ECDSA DER -> Raw, 192bit, Wrong s integer length (too large) -depends_on:PSA_WANT_ECC_SECP_R1_192 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:192:"303402180101010101010101010101010101010101010101010101010219020202020202020202020202020202020202020202020202":"010101010101010101010101010101010101010101010101020202020202020202020202020202020202020202020202":MBEDTLS_ERR_ASN1_OUT_OF_DATA - ECDSA Raw -> DER, 256bit, Success depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"01010101010101010101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202020202020202020202":"30440220010101010101010101010101010101010101010101010101010101010101010102200202020202020202020202020202020202020202020202020202020202020202":0 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA Raw -> DER, 256bit, Raw data too short +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 256bit, DER buffer too small +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA Raw -> DER, 256bit, Null r +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 256bit, Null s +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 256bit, r with MSb set +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA Raw -> DER, 256bit, s with MSb set +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Success depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220010101010101010101010101010101010101010101010101010101010101010102200202020202020202020202020202020202020202020202020202020202020202":"01010101010101010101010101010101010101010101010101010101010101010202020202020202020202020202020202020202020202020202020202020202":0 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA DER -> Raw, 256bit, Raw buffer too small +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL + +ECDSA DER -> Raw, 256bit, Wrong sequence tag +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 256bit, Invalid sequence length +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH + +ECDSA DER -> Raw, 256bit, Wrong integer tag +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + +ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) +depends_on:PSA_WANT_ECC_SECP_R1_256 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA + +ECDSA Raw -> DER, 512bit, Success +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA DER -> Raw, 512bit, Success +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + +# Bit length is rounded up to 528 to be multiple of 8 +ECDSA Raw -> DER, 521bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_521 +ecdsa_raw_to_der:ECDSA_RAW_TO_DER:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + +# Bit length is rounded up to 528 to be multiple of 8 +ECDSA DER -> Raw, 521bit, Success +depends_on:PSA_WANT_ECC_SECP_R1_521 +ecdsa_raw_to_der:ECDSA_DER_TO_RAW:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 From 99c0369d314ca613d4b721f96c8987560a60c220 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 08:21:10 +0100 Subject: [PATCH 07/53] psa_util: add include asn1write.h in public header This is mandatory to have support for the error codes defined in the asn1write.h header file. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 5 +++++ tests/suites/test_suite_psa_crypto_util.function | 2 -- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index ea0d5bb0d..87787f1e0 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -16,6 +16,11 @@ #include "psa/crypto.h" +/* ASN1 defines used in the ECDSA conversion functions. */ +#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_ASN1_PARSE_C) +#include +#endif + #if defined(MBEDTLS_PSA_CRYPTO_C) /* Expose whatever RNG the PSA subsystem uses to applications using the diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 2a990733f..bf1f88d8b 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -1,8 +1,6 @@ /* BEGIN_HEADER */ -#include #include #include -#include enum { ECDSA_RAW_TO_DER = 0, From c22e3ce8efd8a6f6c804ac1b28c17b0ea3bb4080 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 08:46:59 +0100 Subject: [PATCH 08/53] psa_util: remove CRYPTO_C guard from ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 8 +++---- library/psa_util.c | 22 ++++++++++--------- .../test_suite_psa_crypto_util.function | 7 +----- 3 files changed, 17 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 87787f1e0..93fb38d73 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -16,10 +16,10 @@ #include "psa/crypto.h" -/* ASN1 defines used in the ECDSA conversion functions. */ -#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_ASN1_PARSE_C) +/* ASN1 defines used in the ECDSA conversion functions. + * Note: intentionally not adding MBEDTLS_ASN1_[PARSE|WRITE]_C guards here + * otherwise error codes would be unknown in test_suite_psa_crypto_util.data.*/ #include -#endif #if defined(MBEDTLS_PSA_CRYPTO_C) @@ -180,6 +180,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa { return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK); } +#endif /* MBEDTLS_PSA_CRYPTO_C */ #if defined(MBEDTLS_ASN1_WRITE_C) /** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 @@ -221,5 +222,4 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, /**@}*/ -#endif /* MBEDTLS_PSA_CRYPTO_C */ #endif /* MBEDTLS_PSA_UTIL_H */ diff --git a/library/psa_util.c b/library/psa_util.c index c257d7593..ad5c9fb12 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -8,14 +8,20 @@ #include "common.h" +/* This is needed for MBEDTLS_ERR_XXX macros */ +#include + +#if defined(MBEDTLS_ASN1_WRITE_C) +#include +#include +#endif + +#include "psa_util_internal.h" + #if defined(MBEDTLS_PSA_CRYPTO_C) #include -#include "psa_util_internal.h" - -/* The following includes are needed for MBEDTLS_ERR_XXX macros */ -#include #if defined(MBEDTLS_MD_LIGHT) #include #endif @@ -40,10 +46,6 @@ #if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA) #include #endif -#if defined(MBEDTLS_ASN1_WRITE_C) -#include -#include -#endif /* PSA_SUCCESS is kept at the top of each error table since * it's the most common status when everything functions properly. */ @@ -334,6 +336,8 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, } #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ +#endif /* MBEDTLS_PSA_CRYPTO_C */ + #if defined(MBEDTLS_ASN1_WRITE_C) /** * \brief Convert a single raw coordinate to DER ASN.1 format. The output der @@ -565,5 +569,3 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, return 0; } #endif /* MBEDTLS_ASN1_PARSE_C */ - -#endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index bf1f88d8b..57cda0945 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -8,12 +8,7 @@ enum { }; /* END_HEADER */ -/* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_ASN1_WRITE_C:MBEDTLS_ASN1_PARSE_C - * END_DEPENDENCIES - */ - -/* BEGIN_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C:MBEDTLS_ASN1_PARSE_C */ void ecdsa_raw_to_der(int direction, int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; From 3f0809a99d3464ca105c75d75093a8e6cd9fffd8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 09:00:55 +0100 Subject: [PATCH 09/53] test_suite_psa_crypto_util: split ECDSA test function in two Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 40 ++++++++--------- .../test_suite_psa_crypto_util.function | 43 ++++++++++++------- 2 files changed, 47 insertions(+), 36 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 8598a4ef1..a8d34581c 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -1,81 +1,81 @@ ECDSA Raw -> DER, 256bit, Success depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Raw data too short depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, DER buffer too small depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA Raw -> DER, 256bit, Null r depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, Null s depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, r with MSb set depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, s with MSb set depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Success depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Raw buffer too small depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA DER -> Raw, 256bit, Wrong sequence tag depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Invalid sequence length depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH +ecdsa_der_to_raw:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH ECDSA DER -> Raw, 256bit, Wrong integer tag depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) depends_on:PSA_WANT_ECC_SECP_R1_256 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # Bit length is rounded up to 528 to be multiple of 8 ECDSA Raw -> DER, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 -ecdsa_raw_to_der:ECDSA_RAW_TO_DER:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # Bit length is rounded up to 528 to be multiple of 8 ECDSA DER -> Raw, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 -ecdsa_raw_to_der:ECDSA_DER_TO_RAW:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 57cda0945..3c4976607 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -1,15 +1,10 @@ /* BEGIN_HEADER */ #include #include - -enum { - ECDSA_RAW_TO_DER = 0, - ECDSA_DER_TO_RAW, -}; /* END_HEADER */ -/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C:MBEDTLS_ASN1_PARSE_C */ -void ecdsa_raw_to_der(int direction, int key_bits, data_t *input, data_t *exp_result, int exp_ret) +/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */ +void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; size_t tmp_buf_len = exp_result->len; @@ -17,15 +12,31 @@ void ecdsa_raw_to_der(int direction, int key_bits, data_t *input, data_t *exp_re TEST_CALLOC(tmp_buf, tmp_buf_len); - if (direction == ECDSA_RAW_TO_DER) { - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len, - key_bits), exp_ret); - } else { - TEST_EQUAL(mbedtls_ecdsa_der_to_raw(input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len, - key_bits), exp_ret); - } + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len, + key_bits), exp_ret); + + if (exp_ret == 0) { + ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); + } + +exit: + mbedtls_free(tmp_buf); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */ +void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) +{ + unsigned char *tmp_buf = NULL; + size_t tmp_buf_len = exp_result->len; + size_t ret_len; + + TEST_CALLOC(tmp_buf, tmp_buf_len); + + TEST_EQUAL(mbedtls_ecdsa_der_to_raw(input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len, + key_bits), exp_ret); if (exp_ret == 0) { ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); From 3ccb2b54236a096c6757521ecce458b5e84f4abe Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 10:51:24 +0100 Subject: [PATCH 10/53] all.sh: add exception for ASN1_PARSE_C in check_test_dependencies There is no PSA equivalent to ASN1 legacy symbols. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 44930d28b..41faaee47 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1059,11 +1059,16 @@ component_check_test_dependencies () { echo "!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH" >> $expected # No PSA equivalent - used to skip decryption tests in PSA-ECB, CBC/XTS/NIST_KW/DES echo "!MBEDTLS_BLOCK_CIPHER_NO_DECRYPT" >> $expected - # This is used by import_rsa_made_up() in test_suite_psa_crypto in order - # to build a fake RSA key of the wanted size based on + # MBEDTLS_ASN1_WRITE_C is used by import_rsa_made_up() in test_suite_psa_crypto + # in order to build a fake RSA key of the wanted size based on # PSA_VENDOR_RSA_MAX_KEY_BITS. The legacy module is only used by # the test code and that's probably the most convenient way of achieving # the test's goal. + # + # Both MBEDTLS_ASN1_[PARSE|WRITE]_C are used in ECDSA conversion functions + # (in psa_util module) and, therefore, also in test_suite_psa_crypto_util. + # There is no PSA equivalent for these ASN1 symbols in PSA. + echo "MBEDTLS_ASN1_PARSE_C" >> $expected echo "MBEDTLS_ASN1_WRITE_C" >> $expected # No PSA equivalent - we should probably have one in the future. echo "MBEDTLS_ECP_RESTARTABLE" >> $expected From 86bae52c5500509d9837fff6f0d40e2cff980e2a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 11:12:31 +0100 Subject: [PATCH 11/53] psa_util: skip leading zeros in der format with "if" instead of "while" This is possible because we know that DER format can have at most 1 leading zero. Signed-off-by: Valerio Setti --- library/psa_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index ad5c9fb12..e69ff6bb6 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -494,8 +494,8 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return ret; } - /* Skip leading zeros */ - while (*p == 0x00) { + /* Skip possible leading zero */ + if (*p == 0x00) { p++; unpadded_len--; /* It should never happen that the input number is all zeros. */ From a7b83a04ee9142f876c4703fbbdb5ee56c6566a9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 10 Jan 2024 16:07:29 +0100 Subject: [PATCH 12/53] psa_util: add variable casting in convert_raw_to_der_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index e69ff6bb6..ef9aff172 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -364,7 +364,7 @@ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t ra unsigned char *der_buf_end) { unsigned char *p = der_buf_end; - int len = raw_len; + int len = (int) raw_len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; /* Copy the raw coordinate to the end of der_buf. */ From 31657ed70c80303d980c0d88ba5d0f1cca15fd4e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 11 Jan 2024 07:01:30 +0100 Subject: [PATCH 13/53] test_suite_psa_crypto_util: change curve type for 256bits tests Tests with 256 bits curve simply depends on any curve of that size, but they don't really care about which family is enabled. Here I replaced PSA_WANT_ECC_SECP_R1_256 with PSA_WANT_ECC_SECP_K1_256 because otherwise there were test disparities in the "analyze_driver_vs_reference_tfm_config" component of "analyze_outcomes.py". It looked simpler to change the curve type in the test suite's data rather than adding proper exceptions in "analyze_outcomes.py" Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 32 ++++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index a8d34581c..49848615c 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -1,65 +1,65 @@ ECDSA Raw -> DER, 256bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Raw data too short -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, DER buffer too small -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA Raw -> DER, 256bit, Null r -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, Null s -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, r with MSb set -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, s with MSb set -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Raw buffer too small -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA DER -> Raw, 256bit, Wrong sequence tag -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Invalid sequence length -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH ECDSA DER -> Raw, 256bit, Wrong integer tag -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) -depends_on:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA ECDSA Raw -> DER, 512bit, Success From 17105df3e776a79b2668c2fb960ef1f4dcb8171a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 11 Jan 2024 10:41:59 +0100 Subject: [PATCH 14/53] test_suite_psa_crypto_util: add comments to 512/521 bit size test cases Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 49848615c..45a3cb565 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -62,20 +62,24 @@ ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 ecdsa_raw_to_der:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA DER -> Raw, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 -# Bit length is rounded up to 528 to be multiple of 8 +# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. +# Bit length is rounded up to 528 to be multiple of 8. ECDSA Raw -> DER, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 -# Bit length is rounded up to 528 to be multiple of 8 +# 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. +# Bit length is rounded up to 528 to be multiple of 8. ECDSA DER -> Raw, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 From f4d2dc2d772cef1baa7367996c45e9a0ae7e1be1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 16 Jan 2024 10:57:48 +0100 Subject: [PATCH 15/53] psa_util: guard ECDSA conversion functions with proper (internal) symbol Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_crypto.h | 7 +++++++ include/mbedtls/psa_util.h | 4 ++++ library/psa_util.c | 4 ++++ tests/suites/test_suite_psa_crypto_util.function | 4 ++-- 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 696266c6f..833f15268 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -400,6 +400,13 @@ #define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY #endif +/* psa_util file features some ECDSA conversion functions, to convert between + * legacy's ASN.1 DER format and PSA's raw one. */ +#if defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_PSA_CRYPTO_C) && \ + (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)) +#define MBEDTLS_PSA_UTIL_HAVE_ECDSA +#endif + /* Some internal helpers to determine which keys are availble. */ #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES)) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 93fb38d73..3bf05d183 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -182,6 +182,8 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa } #endif /* MBEDTLS_PSA_CRYPTO_C */ +#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) + #if defined(MBEDTLS_ASN1_WRITE_C) /** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 * format (used by legacy crypto APIs). @@ -220,6 +222,8 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, size_t bits); #endif /* MBEDTLS_ASN1_PARSE_C */ +#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ + /**@}*/ #endif /* MBEDTLS_PSA_UTIL_H */ diff --git a/library/psa_util.c b/library/psa_util.c index ef9aff172..c78b6035d 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -338,6 +338,8 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, #endif /* MBEDTLS_PSA_CRYPTO_C */ +#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) + #if defined(MBEDTLS_ASN1_WRITE_C) /** * \brief Convert a single raw coordinate to DER ASN.1 format. The output der @@ -569,3 +571,5 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, return 0; } #endif /* MBEDTLS_ASN1_PARSE_C */ + +#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 3c4976607..bfdafa7b3 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -3,7 +3,7 @@ #include /* END_HEADER */ -/* BEGIN_CASE depends_on:MBEDTLS_ASN1_WRITE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA:MBEDTLS_ASN1_WRITE_C */ void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; @@ -25,7 +25,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_ASN1_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA:MBEDTLS_ASN1_PARSE_C */ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; From 688f795cb38b86995051c3033b7aeb73f573ddf8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 16 Jan 2024 09:18:40 +0100 Subject: [PATCH 16/53] asn1: use the new symbol to guard dependencies of ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/asn1.h | 5 +++-- include/mbedtls/asn1write.h | 5 +++-- include/mbedtls/psa_util.h | 4 ---- library/asn1parse.c | 5 +++-- library/asn1write.c | 5 +++-- library/psa_util.c | 4 ---- tests/suites/test_suite_psa_crypto_util.function | 4 ++-- 7 files changed, 14 insertions(+), 18 deletions(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 3c3bfad9d..ff019f432 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -197,7 +197,8 @@ typedef struct mbedtls_asn1_named_data { } mbedtls_asn1_named_data; -#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) +#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \ + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) /** * \brief Get the length of an ASN.1 element. * Updates the pointer to immediately behind the length. @@ -244,7 +245,7 @@ int mbedtls_asn1_get_len(unsigned char **p, int mbedtls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len, int tag); -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ #if defined(MBEDTLS_ASN1_PARSE_C) /** diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 7af4aba41..0c5a85ac2 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -36,7 +36,8 @@ extern "C" { #endif -#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) +#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \ + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) /** * \brief Write a length field in ASN.1 format. * @@ -65,7 +66,7 @@ int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start, */ int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsigned char tag); -#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */ +#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA*/ #if defined(MBEDTLS_ASN1_WRITE_C) /** diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 3bf05d183..15e92e36f 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -184,7 +184,6 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) -#if defined(MBEDTLS_ASN1_WRITE_C) /** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 * format (used by legacy crypto APIs). * @@ -201,9 +200,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, unsigned char *der, size_t der_size, size_t *der_len, size_t bits); -#endif /* MBEDTLS_ASN1_WRITE_C */ -#if defined(MBEDTLS_ASN1_PARSE_C) /** Convert an ECDSA signature from DER ASN.1 format (used by legacy crypto * APIs) to raw format (used by PSA APIs). * @@ -220,7 +217,6 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, unsigned char *raw, size_t raw_size, size_t *raw_len, size_t bits); -#endif /* MBEDTLS_ASN1_PARSE_C */ #endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ diff --git a/library/asn1parse.c b/library/asn1parse.c index c02b233ec..e33fdf71d 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -7,7 +7,8 @@ #include "common.h" -#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) +#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \ + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) #include "mbedtls/asn1.h" #include "mbedtls/platform_util.h" @@ -73,7 +74,7 @@ int mbedtls_asn1_get_tag(unsigned char **p, return mbedtls_asn1_get_len(p, end, len); } -#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */ +#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ #if defined(MBEDTLS_ASN1_PARSE_C) int mbedtls_asn1_get_bool(unsigned char **p, diff --git a/library/asn1write.c b/library/asn1write.c index 114091d63..775a9ef53 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -7,7 +7,8 @@ #include "common.h" -#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) +#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \ + defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) #include "mbedtls/asn1write.h" #include "mbedtls/error.h" @@ -62,7 +63,7 @@ int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start, unsign return 1; } -#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */ +#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */ #if defined(MBEDTLS_ASN1_WRITE_C) static int mbedtls_asn1_write_len_and_tag(unsigned char **p, diff --git a/library/psa_util.c b/library/psa_util.c index c78b6035d..9e21602f6 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -340,7 +340,6 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) -#if defined(MBEDTLS_ASN1_WRITE_C) /** * \brief Convert a single raw coordinate to DER ASN.1 format. The output der * buffer is filled backward (i.e. starting from its end). @@ -451,9 +450,7 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, return 0; } -#endif /* MBEDTLS_ASN1_WRITE_C */ -#if defined(MBEDTLS_ASN1_PARSE_C) /** * \brief Convert a single integer from ASN.1 DER format to raw. * @@ -570,6 +567,5 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, return 0; } -#endif /* MBEDTLS_ASN1_PARSE_C */ #endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index bfdafa7b3..8f0dd6cfc 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -3,7 +3,7 @@ #include /* END_HEADER */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA:MBEDTLS_ASN1_WRITE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; @@ -25,7 +25,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA:MBEDTLS_ASN1_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { unsigned char *tmp_buf = NULL; From 448377bec7c7d1a063c7bc6a0adeb8053659e97b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 16 Jan 2024 16:24:07 +0100 Subject: [PATCH 17/53] all.sh: remove MBEDTLS_ASN1_PARSE_C exception from check_test_dependencies() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 41faaee47..fddcc0153 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1065,10 +1065,9 @@ component_check_test_dependencies () { # the test code and that's probably the most convenient way of achieving # the test's goal. # - # Both MBEDTLS_ASN1_[PARSE|WRITE]_C are used in ECDSA conversion functions + # MBEDTLS_ASN1_WRITE_C is also used in ECDSA conversion functions # (in psa_util module) and, therefore, also in test_suite_psa_crypto_util. - # There is no PSA equivalent for these ASN1 symbols in PSA. - echo "MBEDTLS_ASN1_PARSE_C" >> $expected + # There is no PSA equivalent for this ASN1 symbols in PSA. echo "MBEDTLS_ASN1_WRITE_C" >> $expected # No PSA equivalent - we should probably have one in the future. echo "MBEDTLS_ECP_RESTARTABLE" >> $expected From bcf0fc5119115a2d6502d3acd3121c7813a51b02 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 14:53:28 +0100 Subject: [PATCH 18/53] adjust_legacy_crypto: add parenthesis to improve clarity Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_legacy_crypto.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 833f15268..eb52d3f23 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -402,8 +402,8 @@ /* psa_util file features some ECDSA conversion functions, to convert between * legacy's ASN.1 DER format and PSA's raw one. */ -#if defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_PSA_CRYPTO_C) && \ - (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)) +#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_C) && \ + (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA))) #define MBEDTLS_PSA_UTIL_HAVE_ECDSA #endif From f8ce457fb606309c87ba5c2595eeb9d5a9ce6cf2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 26 Jan 2024 14:55:14 +0100 Subject: [PATCH 19/53] all.sh: fix comment in check_test_dependencies() MBEDTLS_ASN1_WRITE_C is no more required for ECDSA conversion functions. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index fddcc0153..c4982b6cc 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1064,10 +1064,6 @@ component_check_test_dependencies () { # PSA_VENDOR_RSA_MAX_KEY_BITS. The legacy module is only used by # the test code and that's probably the most convenient way of achieving # the test's goal. - # - # MBEDTLS_ASN1_WRITE_C is also used in ECDSA conversion functions - # (in psa_util module) and, therefore, also in test_suite_psa_crypto_util. - # There is no PSA equivalent for this ASN1 symbols in PSA. echo "MBEDTLS_ASN1_WRITE_C" >> $expected # No PSA equivalent - we should probably have one in the future. echo "MBEDTLS_ECP_RESTARTABLE" >> $expected From 9b9b5a52d95c476a66e441706a38e98631c6990e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 16:53:03 +0100 Subject: [PATCH 20/53] psa_util: some code improvement to convert_der_to_raw_single_int() This commit also fixes test_suite_psa_crypto_util.data due to the change in one of the return values. Signed-off-by: Valerio Setti --- library/psa_util.c | 10 +++++++--- tests/suites/test_suite_psa_crypto_util.data | 2 +- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 9e21602f6..034987312 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -494,7 +494,7 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } /* Skip possible leading zero */ - if (*p == 0x00) { + if ((*p == 0x00) && (unpadded_len > 0)) { p++; unpadded_len--; /* It should never happen that the input number is all zeros. */ @@ -503,9 +503,13 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } } - if (unpadded_len < coordinate_size) { + if (unpadded_len > coordinate_size) { + /* Parsed number is longer than the maximum expected value. */ + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } else { padding_len = coordinate_size - unpadded_len; - memset(raw, 0x00, padding_len); + /* raw buffer was already zeroed in mbedtls_ecdsa_der_to_raw() so + * zero-padding operation is skipped here. */ } memcpy(raw + padding_len, p, unpadded_len); p += unpadded_len; diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 45a3cb565..40f639160 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -52,7 +52,7 @@ ecdsa_der_to_raw:256:"3044021911111111111111111111111111111111111111111111111111 ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) depends_on:PSA_WANT_ECC_SECP_K1_256 From ee5238fcf4c25f046cd54a00680118e3da65f2b5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 17:34:07 +0100 Subject: [PATCH 21/53] suite_psa_crypto_util: add more testing for mbedtls_ecdsa_raw_to_der() A new test function is added, ecdsa_raw_to_der_incremental, that tests incremental output DER buffer sizes checking that only the correct one (tested at last) works correctly. Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 12 ++++++++++ .../test_suite_psa_crypto_util.function | 24 +++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 40f639160..4bb2044a5 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -83,3 +83,15 @@ ecdsa_raw_to_der:528:"1111111111111111111111111111111111111111111111111111111111 ECDSA DER -> Raw, 521bit, Success depends_on:PSA_WANT_ECC_SECP_R1_521 ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA Raw -> DER, 256bit, Incremental DER buffer sizes +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_raw_to_der_incremental:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222" + +ECDSA Raw -> DER, 512bit, Incremental DER buffer sizes +depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818502410091111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" + +ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes +depends_on:PSA_WANT_ECC_SECP_R1_521 +ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 8f0dd6cfc..d1647d4b3 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -25,6 +25,30 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ +void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_result) +{ + unsigned char *tmp_buf = NULL; + size_t tmp_buf_len = exp_result->len; + size_t ret_len; + size_t i; + + TEST_CALLOC(tmp_buf, tmp_buf_len); + + for (i = 0; i < tmp_buf_len; i++) { + TEST_ASSERT(mbedtls_ecdsa_raw_to_der(input->x, input->len, + tmp_buf, i, &ret_len, + key_bits) != 0); + } + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, + tmp_buf, i, &ret_len, + key_bits), 0); + +exit: + mbedtls_free(tmp_buf); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { From 122c94fd269a0c0f3c047a1a9f7ca03489ab292b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 18:02:03 +0100 Subject: [PATCH 22/53] psa_util: remove raw_len param from convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 034987312..0c603b704 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -460,7 +460,6 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, * \param raw Output buffer that will be filled with the * converted data. This should be at least * coordinate_size bytes. - * \param raw_len Size (in bytes) of the output raw buffer. * \param coordinate_size Size (in bytes) of a single coordinate in raw * format. * @@ -475,17 +474,12 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, * \warning Der and raw buffers must not be overlapping. */ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, - unsigned char *raw, size_t raw_len, - size_t coordinate_size) + unsigned char *raw, size_t coordinate_size) { unsigned char *p = der; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t unpadded_len, padding_len = 0; - if (raw_len < coordinate_size) { - return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; - } - /* Get the length of ASN.1 element (i.e. the integer we need to parse). */ ret = mbedtls_asn1_get_tag(&p, p + der_len, &unpadded_len, MBEDTLS_ASN1_INTEGER); @@ -543,8 +537,7 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, memset(raw_tmp, 0, sizeof(raw_tmp)); /* Extract r */ - ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, sizeof(raw_tmp), - coordinate_size); + ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, coordinate_size); if (ret < 0) { return ret; } @@ -553,7 +546,6 @@ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, /* Extract s */ ret = convert_der_to_raw_single_int(p, data_len, raw_tmp + coordinate_size, - sizeof(raw_tmp) - coordinate_size, coordinate_size); if (ret < 0) { return ret; From 7a795fd9515a27dd1d7e5cc4fe319526c46842b9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 29 Jan 2024 18:08:42 +0100 Subject: [PATCH 23/53] suite_psa_crypto_util: add more test cases for DER->RAW - r with MSb set - Invalid r (only 1 zero byte) Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 4bb2044a5..49b491954 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -62,6 +62,14 @@ ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ECDSA DER -> Raw, 256bit, r with MSb set +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA DER -> Raw, 256bit, Invalid r (only 1 zero byte) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 From 78da7468ca64838cfd3405a819f59b970b2da3b2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 15:08:40 +0100 Subject: [PATCH 24/53] psa_util: minor improvements to convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 0c603b704..dfea36b90 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -459,7 +459,8 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, * \param der_len Length of the der buffer in bytes. * \param raw Output buffer that will be filled with the * converted data. This should be at least - * coordinate_size bytes. + * coordinate_size bytes and it must be zeroed before + * calling this function. * \param coordinate_size Size (in bytes) of a single coordinate in raw * format. * @@ -500,11 +501,10 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, if (unpadded_len > coordinate_size) { /* Parsed number is longer than the maximum expected value. */ return MBEDTLS_ERR_ASN1_INVALID_DATA; - } else { - padding_len = coordinate_size - unpadded_len; - /* raw buffer was already zeroed in mbedtls_ecdsa_der_to_raw() so - * zero-padding operation is skipped here. */ } + padding_len = coordinate_size - unpadded_len; + /* raw buffer was already zeroed by the calling function so zero-padding + * operation is skipped here. */ memcpy(raw + padding_len, p, unpadded_len); p += unpadded_len; From 98e1931a0a7486a147ae64877ea1542690d99582 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 15:46:02 +0100 Subject: [PATCH 25/53] test_suite_psa_crypto_util: alloc/free buffer inside loop in ecdsa_raw_to_der_incremental() Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.function | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index d1647d4b3..9dc95b659 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -33,17 +33,19 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul size_t ret_len; size_t i; - TEST_CALLOC(tmp_buf, tmp_buf_len); - - for (i = 0; i < tmp_buf_len; i++) { + for (i = 1; i < tmp_buf_len; i++) { + TEST_CALLOC(tmp_buf, i); TEST_ASSERT(mbedtls_ecdsa_raw_to_der(input->x, input->len, tmp_buf, i, &ret_len, key_bits) != 0); + mbedtls_free(tmp_buf); + tmp_buf = NULL; } + + TEST_CALLOC(tmp_buf, i); TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, tmp_buf, i, &ret_len, key_bits), 0); - exit: mbedtls_free(tmp_buf); } From 252311d41e1e13de76c1a71875b3553f54210fbd Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 30 Jan 2024 15:50:28 +0100 Subject: [PATCH 26/53] test_suite_psa_crypto_util: add test with 0-length for r Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 49b491954..78f048ade 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -70,6 +70,10 @@ ECDSA DER -> Raw, 256bit, Invalid r (only 1 zero byte) depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +ECDSA DER -> Raw, 256bit, Invalid r (0-length) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3025020002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 From efcc55500265c7a1a39a507cfbb0220aebefd689 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 31 Jan 2024 11:15:37 +0100 Subject: [PATCH 27/53] test_suite_psa_crypto_util: add test with 0-length s Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 78f048ade..46af1f16f 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -74,6 +74,10 @@ ECDSA DER -> Raw, 256bit, Invalid r (0-length) depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3025020002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ECDSA DER -> Raw, 256bit, Invalid s (0-length) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3044022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 From 3122f4da50b401cc56374ad8891bfd782a506483 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 31 Jan 2024 11:16:46 +0100 Subject: [PATCH 28/53] psa_util: invert check order for leading zeros in convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index dfea36b90..be257e72e 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -489,7 +489,7 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, } /* Skip possible leading zero */ - if ((*p == 0x00) && (unpadded_len > 0)) { + if ((unpadded_len > 0) && (*p == 0x00)) { p++; unpadded_len--; /* It should never happen that the input number is all zeros. */ From 2d73baf171560d27afef869cc960172b717ea7db Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 15:25:17 +0100 Subject: [PATCH 29/53] psa_util: convert_der_to_raw_single_int: ensure the input DER integers have valid length Signed-off-by: Valerio Setti --- library/psa_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index be257e72e..b13d83d47 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -492,10 +492,10 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, if ((unpadded_len > 0) && (*p == 0x00)) { p++; unpadded_len--; - /* It should never happen that the input number is all zeros. */ - if (unpadded_len == 0) { - return MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; - } + } + /* It should never happen that the input number has 0 length. */ + if (unpadded_len == 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; } if (unpadded_len > coordinate_size) { From 3ecb395fb93626e6250ee693b6eb0ce3eba0fe44 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 1 Feb 2024 15:26:24 +0100 Subject: [PATCH 30/53] test_suite_psa_crypto_util: fix tests for 0-length and one 0x00 byte for r and s Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 46af1f16f..9368d7939 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -68,15 +68,19 @@ ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111 ECDSA DER -> Raw, 256bit, Invalid r (only 1 zero byte) depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH +ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA DER -> Raw, 256bit, Invalid s (only 1 zero byte) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Invalid r (0-length) depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"3025020002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Invalid s (0-length) +ECDSA DER -> Raw, 256bit,Invalid s (0-length) depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"3044022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success @@ -110,4 +114,4 @@ ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111 ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes depends_on:PSA_WANT_ECC_SECP_R1_521 -ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" +ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" \ No newline at end of file From c9dd8611f8f4d10ddbfe823dfc7615acd957536d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 2 Feb 2024 12:34:06 +0100 Subject: [PATCH 31/53] test_suite_psa_crypto_util: add missing new line at the end of file Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 9368d7939..c92b5fcc1 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -114,4 +114,4 @@ ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111 ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes depends_on:PSA_WANT_ECC_SECP_R1_521 -ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" \ No newline at end of file +ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" From 864519793777dd9bfd416c3a60a272f6d0622934 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 09:50:20 +0100 Subject: [PATCH 32/53] psa_util: fix documentation of ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 15e92e36f..b7b710f65 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -184,35 +184,33 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa #if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA) -/** Convert an ECDSA signature from raw format (used by PSA APIs) to DER ASN.1 - * format (used by legacy crypto APIs). +/** Convert an ECDSA signature from raw format to DER ASN.1 format. * * \param raw Buffer that contains the signature in raw format. - * \param raw_len Length of raw buffer in bytes + * \param raw_len Length of \p raw in bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. - * \param der_size Size of the output der buffer in bytes. + * \param der_size Size of \p der in bytes. * \param[out] der_len On success it contains the amount of valid data - * (in bytes) written to der buffer. It's undefined + * (in bytes) written to \p der. It's undefined * in case of failure. - * \param bits Size of each raw coordinate in bits. + * \param bits Size of each coordinate in bits. */ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, unsigned char *der, size_t der_size, size_t *der_len, size_t bits); -/** Convert an ECDSA signature from DER ASN.1 format (used by legacy crypto - * APIs) to raw format (used by PSA APIs). +/** Convert an ECDSA signature from DER ASN.1 format to raw format. * * \param der Buffer that contains the signature in DER format. - * \param der_len Size of the der buffer in bytes. + * \param der_len Size of \p der in bytes. * \param[out] raw Buffer that will be filled with the converted raw * signature. It can overlap with der buffer. - * \param raw_size Size of the raw buffer in bytes. + * \param raw_size Size of \p raw in bytes. * \param[out] raw_len On success it is updated with the amount of valid - * data (in bytes) written to raw buffer. It's undefined + * data (in bytes) written to \p raw. It's undefined * in case of failure. - * \param bits Size of each raw coordinate in bits. + * \param bits Size of each coordinate in bits. */ int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, unsigned char *raw, size_t raw_size, size_t *raw_len, From 315e4afc0a6bc4e55340fe8de7891e076e277da5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 10:09:15 +0100 Subject: [PATCH 33/53] psa_util: change parameters order in ECDSA conversion functions Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 14 ++++++------- library/pk_wrap.c | 7 +++---- library/psa_util.c | 10 ++++------ .../test_suite_psa_crypto_util.function | 20 ++++++++----------- 4 files changed, 21 insertions(+), 30 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index b7b710f65..06732d8c5 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -186,6 +186,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa /** Convert an ECDSA signature from raw format to DER ASN.1 format. * + * \param bits Size of each coordinate in bits. * \param raw Buffer that contains the signature in raw format. * \param raw_len Length of \p raw in bytes. * \param[out] der Buffer that will be filled with the converted DER @@ -194,14 +195,13 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * \param[out] der_len On success it contains the amount of valid data * (in bytes) written to \p der. It's undefined * in case of failure. - * \param bits Size of each coordinate in bits. */ -int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, - unsigned char *der, size_t der_size, size_t *der_len, - size_t bits); +int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len); /** Convert an ECDSA signature from DER ASN.1 format to raw format. * + * \param bits Size of each coordinate in bits. * \param der Buffer that contains the signature in DER format. * \param der_len Size of \p der in bytes. * \param[out] raw Buffer that will be filled with the converted raw @@ -210,11 +210,9 @@ int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, * \param[out] raw_len On success it is updated with the amount of valid * data (in bytes) written to \p raw. It's undefined * in case of failure. - * \param bits Size of each coordinate in bits. */ -int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, - unsigned char *raw, size_t raw_size, size_t *raw_len, - size_t bits); +int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len); #endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */ diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 9a29d929e..c45fbd436 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -573,9 +573,8 @@ static int ecdsa_verify_psa(unsigned char *key, size_t key_len, } p = (unsigned char *) sig; - ret = mbedtls_ecdsa_der_to_raw(p, sig_len, extracted_sig, - sizeof(extracted_sig), &converted_sig_len, - curve_bits); + ret = mbedtls_ecdsa_der_to_raw(curve_bits, p, sig_len, extracted_sig, + sizeof(extracted_sig), &converted_sig_len); if (ret != 0) { goto cleanup; } @@ -730,7 +729,7 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, } done: - ret = mbedtls_ecdsa_raw_to_der(sig, sig_size, sig, sig_size, sig_len, key_bits); + ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, sig_size, sig, sig_size, sig_len); return ret; } diff --git a/library/psa_util.c b/library/psa_util.c index b13d83d47..2491f2e45 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -402,9 +402,8 @@ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t ra return len; } -int mbedtls_ecdsa_raw_to_der(const unsigned char *raw, size_t raw_len, - unsigned char *der, size_t der_size, size_t *der_len, - size_t bits) +int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len, + unsigned char *der, size_t der_size, size_t *der_len) { unsigned char r[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; unsigned char s[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; @@ -511,9 +510,8 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return (int) (p - der); } -int mbedtls_ecdsa_der_to_raw(const unsigned char *der, size_t der_len, - unsigned char *raw, size_t raw_size, size_t *raw_len, - size_t bits) +int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len, + unsigned char *raw, size_t raw_size, size_t *raw_len) { unsigned char raw_tmp[PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE]; unsigned char *p = (unsigned char *) der; diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 9dc95b659..c102b0761 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -12,9 +12,8 @@ void ecdsa_raw_to_der(int key_bits, data_t *input, data_t *exp_result, int exp_r TEST_CALLOC(tmp_buf, tmp_buf_len); - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len, - key_bits), exp_ret); + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len), exp_ret); if (exp_ret == 0) { ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); @@ -35,17 +34,15 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul for (i = 1; i < tmp_buf_len; i++) { TEST_CALLOC(tmp_buf, i); - TEST_ASSERT(mbedtls_ecdsa_raw_to_der(input->x, input->len, - tmp_buf, i, &ret_len, - key_bits) != 0); + TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, + tmp_buf, i, &ret_len) != 0); mbedtls_free(tmp_buf); tmp_buf = NULL; } TEST_CALLOC(tmp_buf, i); - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(input->x, input->len, - tmp_buf, i, &ret_len, - key_bits), 0); + TEST_EQUAL(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, + tmp_buf, i, &ret_len), 0); exit: mbedtls_free(tmp_buf); } @@ -60,9 +57,8 @@ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_r TEST_CALLOC(tmp_buf, tmp_buf_len); - TEST_EQUAL(mbedtls_ecdsa_der_to_raw(input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len, - key_bits), exp_ret); + TEST_EQUAL(mbedtls_ecdsa_der_to_raw(key_bits, input->x, input->len, + tmp_buf, tmp_buf_len, &ret_len), exp_ret); if (exp_ret == 0) { ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); From 954ef4bbd5727a92113732e51622af374d2f736f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 12:06:46 +0100 Subject: [PATCH 34/53] psa_util: improve convert_raw_to_der_single_int() Allow the function to support DER buffers than what it is nominally required by the provided coordinates. In other words let's ignore padding zeros in the raw number. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 7 +++++- library/psa_util.c | 25 ++++++++++--------- tests/suites/test_suite_psa_crypto_util.data | 4 +++ .../test_suite_psa_crypto_util.function | 13 +++++++--- 4 files changed, 33 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 06732d8c5..132c73f23 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -191,7 +191,12 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * \param raw_len Length of \p raw in bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. - * \param der_size Size of \p der in bytes. + * \param der_size Size of \p der in bytes. Given \p bits parameter: + * * #MBEDTLS_ECDSA_MAX_SIG_LEN(\p bits) can be used + * to determine a large enough buffer for any + * \p raw input vector. + * * The minimum size might be smaller in case + * \p raw input vector contains padding zeros. * \param[out] der_len On success it contains the amount of valid data * (in bytes) written to \p der. It's undefined * in case of failure. diff --git a/library/psa_util.c b/library/psa_util.c index 2491f2e45..4e350c097 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -365,9 +365,21 @@ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t ra unsigned char *der_buf_end) { unsigned char *p = der_buf_end; - int len = (int) raw_len; + int len; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* ASN.1 DER encoding requires minimal length, so skip leading 0s. + * Provided input MPIs should not be 0, but as a failsafe measure, still + * detect that and return error in case. */ + while (*raw_buf == 0x00) { + ++raw_buf; + --raw_len; + if (raw_len == 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } + } + len = (int) raw_len; + /* Copy the raw coordinate to the end of der_buf. */ if ((p - der_buf_start) < len) { return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL; @@ -375,17 +387,6 @@ static int convert_raw_to_der_single_int(const unsigned char *raw_buf, size_t ra p -= len; memcpy(p, raw_buf, len); - /* ASN.1 DER encoding requires minimal length, so skip leading 0s. - * Provided input MPIs should not be 0, but as a failsafe measure, still - * detect that and return error in case. */ - while (*p == 0x00) { - ++p; - --len; - if (len == 0) { - return MBEDTLS_ERR_ASN1_INVALID_DATA; - } - } - /* If MSb is 1, ASN.1 requires that we prepend a 0. */ if (*p & 0x80) { if ((p - der_buf_start) < 1) { diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index c92b5fcc1..606e56399 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -115,3 +115,7 @@ ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111 ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes depends_on:PSA_WANT_ECC_SECP_R1_521 ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" + +ECDSA Raw -> DER, 256bit, DER buffer of minimal length (1 byte per integer) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_raw_to_der_incremental:256:"00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002":"3006020101020102" diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index c102b0761..51f42a7bd 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -32,6 +32,7 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul size_t ret_len; size_t i; + /* Test with an output buffer smaller than required (expexted to fail). */ for (i = 1; i < tmp_buf_len; i++) { TEST_CALLOC(tmp_buf, i); TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, @@ -39,10 +40,16 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul mbedtls_free(tmp_buf); tmp_buf = NULL; } + /* Test with an output buffer larger/equal than required (expexted to + * succeed). */ + for (i = tmp_buf_len; i < (2 * tmp_buf_len); i++) { + TEST_CALLOC(tmp_buf, i); + TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, + tmp_buf, i, &ret_len) == 0); + mbedtls_free(tmp_buf); + tmp_buf = NULL; + } - TEST_CALLOC(tmp_buf, i); - TEST_EQUAL(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, - tmp_buf, i, &ret_len), 0); exit: mbedtls_free(tmp_buf); } From e01a2b03c63ef2fd087d850a6a006231417e5f71 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 15:16:36 +0100 Subject: [PATCH 35/53] psa_util: update documentation for mbedtls_ecdsa_der_to_raw() Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 132c73f23..8868bc13a 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -211,7 +211,8 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l * \param der_len Size of \p der in bytes. * \param[out] raw Buffer that will be filled with the converted raw * signature. It can overlap with der buffer. - * \param raw_size Size of \p raw in bytes. + * \param raw_size Size of \p raw in bytes. Must be at least + * 2 * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] raw_len On success it is updated with the amount of valid * data (in bytes) written to \p raw. It's undefined * in case of failure. From 2bd0ecdf4582ee04877c028c456ecf487d47dc9b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 15:25:15 +0100 Subject: [PATCH 36/53] psa_util: improve documentation for convert_raw_to_der_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index 4e350c097..1bb02e907 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -346,7 +346,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family, * * \param raw_buf Buffer containing the raw coordinate to be * converted. - * \param raw_len Length of raw_buf in bytes. + * \param raw_len Length of raw_buf in bytes. This must be > 0. * \param der_buf_start Pointer to the beginning of the buffer which * will be filled with the DER converted data. * \param der_buf_end End of the buffer used to store the DER output. From 8334d00772c155c41eb1a735417fd98dfd0382ee Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 15:35:26 +0100 Subject: [PATCH 37/53] psa_util: improve check of raw_len in mbedtls_ecdsa_raw_to_der() Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 3 ++- library/psa_util.c | 2 +- tests/suites/test_suite_psa_crypto_util.data | 8 ++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 8868bc13a..a5f09a4f4 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -188,7 +188,8 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * * \param bits Size of each coordinate in bits. * \param raw Buffer that contains the signature in raw format. - * \param raw_len Length of \p raw in bytes. + * \param raw_len Length of \p raw in bytes. This must be + * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. * \param der_size Size of \p der in bytes. Given \p bits parameter: diff --git a/library/psa_util.c b/library/psa_util.c index 1bb02e907..f3fcd1d8c 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (raw_len < 2 * coordinate_len) { + if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 606e56399..580622f8c 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -26,6 +26,14 @@ ECDSA Raw -> DER, 256bit, s with MSb set depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 +ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + ECDSA DER -> Raw, 256bit, Success depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 From bec1d842ac2a38d37a30fee182a7246ead5c41c9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 15:50:02 +0100 Subject: [PATCH 38/53] psa_util: convert_der_to_raw_single_int() accepts also all zero integers These values are not mathematically valid as signature, but as for what it concerns with ECDSA conversion functions, 0 values in DER format should be translated to 0 values in raw format. Signed-off-by: Valerio Setti --- library/psa_util.c | 4 ---- tests/suites/test_suite_psa_crypto_util.data | 24 +++++++++++++------- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index f3fcd1d8c..0a77855b0 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -493,10 +493,6 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, p++; unpadded_len--; } - /* It should never happen that the input number has 0 length. */ - if (unpadded_len == 0) { - return MBEDTLS_ERR_ASN1_INVALID_DATA; - } if (unpadded_len > coordinate_size) { /* Parsed number is longer than the maximum expected value. */ diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 580622f8c..f12a4bb72 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -74,21 +74,29 @@ ECDSA DER -> Raw, 256bit, r with MSb set depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit, Invalid r (only 1 zero byte) +ECDSA DER -> Raw, 256bit, Valid r all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit, Invalid s (only 1 zero byte) +ECDSA DER -> Raw, 256bit, Valid s all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 -ECDSA DER -> Raw, 256bit, Invalid r (0-length) +ECDSA DER -> Raw, 256bit, Valid r only 1 zero byte depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit,Invalid s (0-length) +ECDSA DER -> Raw, 256bit, Valid s only 1 zero byte depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA +ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 + +ECDSA DER -> Raw, 256bit, Valid 0-length r +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA DER -> Raw, 256bit, Valid 0-length s +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success From 05c256fb3639d3ae3ca414d309851e45fdb36ca4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 16:02:11 +0100 Subject: [PATCH 39/53] psa_util: minor performance improvement in mbedtls_ecdsa_der_to_raw() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index 0a77855b0..7e79b1ce8 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -529,7 +529,7 @@ int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_l return ret; } - memset(raw_tmp, 0, sizeof(raw_tmp)); + memset(raw_tmp, 0, 2 * coordinate_size); /* Extract r */ ret = convert_der_to_raw_single_int(p, data_len, raw_tmp, coordinate_size); From 091bdc416d5056554bb8963054357423165662b7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 16:17:44 +0100 Subject: [PATCH 40/53] psa_util: enhance checks on leading zeros in convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 10 ++++++++++ tests/suites/test_suite_psa_crypto_util.data | 12 ++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 7e79b1ce8..674f21b9b 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -488,10 +488,20 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return ret; } + /* It's invalid to have MSb set without a leading 0x00 (leading 0x00 is + * checked below). */ + if ((*p & 0x80) != 0) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } + /* Skip possible leading zero */ if ((unpadded_len > 0) && (*p == 0x00)) { p++; unpadded_len--; + /* Only 1 leading zero is allowed, otherwise that's an error. */ + if (*p == 0x00) { + return MBEDTLS_ERR_ASN1_INVALID_DATA; + } } if (unpadded_len > coordinate_size) { diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index f12a4bb72..568f6c571 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -74,13 +74,13 @@ ECDSA DER -> Raw, 256bit, r with MSb set depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA DER -> Raw, 256bit, Valid r all zeros +ECDSA DER -> Raw, 256bit, Invalid r all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Valid s all zeros +ECDSA DER -> Raw, 256bit, Invalid s all zeros depends_on:PSA_WANT_ECC_SECP_K1_256 -ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 +ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Valid r only 1 zero byte depends_on:PSA_WANT_ECC_SECP_K1_256 @@ -98,6 +98,10 @@ ECDSA DER -> Raw, 256bit, Valid 0-length s depends_on:PSA_WANT_ECC_SECP_K1_256 ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 +ECDSA DER -> Raw, 256bit, Invalid r: MSb set without leading zero +depends_on:PSA_WANT_ECC_SECP_K1_256 +ecdsa_der_to_raw:256:"30440220911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 From 110126110da3316451f9ddf7d4f011973c6d1a17 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 16:24:18 +0100 Subject: [PATCH 41/53] test_suite_psa_util: use more generic symbols for test case dependencies Use PSA_VENDOR_ECC_MAX_CURVE_BITS instead of a specific curve since what we care about is only bit-size not the curve itself. Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 68 ++++++++++---------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 568f6c571..69e4e19e9 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -1,141 +1,141 @@ ECDSA Raw -> DER, 256bit, Success -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Raw data too short -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, DER buffer too small -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA Raw -> DER, 256bit, Null r -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, Null s -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, r with MSb set -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, s with MSb set -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Success -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Raw buffer too small -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ECDSA DER -> Raw, 256bit, Wrong sequence tag -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Invalid sequence length -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30ff0220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_LENGTH ECDSA DER -> Raw, 256bit, Wrong integer tag -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA ECDSA DER -> Raw, 256bit, r with MSb set -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Invalid r all zeros -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220000000000000000000000000000000000000000000000000000000000000000002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Invalid s all zeros -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102200000000000000000000000000000000000000000000000000000000000000000":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Valid r only 1 zero byte -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"302502010002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Valid s only 1 zero byte -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 ECDSA DER -> Raw, 256bit, Valid 0-length r -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 ECDSA DER -> Raw, 256bit, Valid 0-length s -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 ECDSA DER -> Raw, 256bit, Invalid r: MSb set without leading zero -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA Raw -> DER, 512bit, Success -depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512 ecdsa_raw_to_der:512:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. ECDSA DER -> Raw, 512bit, Success -depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512 ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. # Bit length is rounded up to 528 to be multiple of 8. ECDSA Raw -> DER, 521bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_521 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. # Bit length is rounded up to 528 to be multiple of 8. ECDSA DER -> Raw, 521bit, Success -depends_on:PSA_WANT_ECC_SECP_R1_521 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Incremental DER buffer sizes -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der_incremental:256:"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222" ECDSA Raw -> DER, 512bit, Incremental DER buffer sizes -depends_on:PSA_WANT_ECC_BRAINPOOL_P_R1_512 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512 ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818502410091111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes -depends_on:PSA_WANT_ECC_SECP_R1_521 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" ECDSA Raw -> DER, 256bit, DER buffer of minimal length (1 byte per integer) -depends_on:PSA_WANT_ECC_SECP_K1_256 +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der_incremental:256:"00000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000002":"3006020101020102" From 1792bb44a0aac407b8d87b08eeba487e19ac854f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 17:34:49 +0100 Subject: [PATCH 42/53] test_suite_psa_crypto_util: add more test cases Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 28 +++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 69e4e19e9..7f3f5b50b 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -26,6 +26,18 @@ ECDSA Raw -> DER, 256bit, s with MSb set depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"304502201111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 +ECDSA Raw -> DER, 256bit, both r and s with MSb set +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"A111111111111111111111111111111111111111111111111111111111111111A222222222222222222222222222222222222222222222222222222222222222":"3046022100A111111111111111111111111111111111111111111111111111111111111111022100A222222222222222222222222222222222222222222222222222222222222222":0 + +ECDSA Raw -> DER, 256bit, r and s only 1 byte of data +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000110000000000000000000000000000000000000000000000000000000000000022":"3006020111020122":0 + +ECDSA Raw -> DER, 256bit, r and s only 1 byte of data with MSb set +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"000000000000000000000000000000000000000000000000000000000000009100000000000000000000000000000000000000000000000000000000000000A2":"300802020091020200A2":0 + ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA @@ -54,22 +66,26 @@ ECDSA DER -> Raw, 256bit, Wrong integer tag depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440120111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -ECDSA DER -> Raw, 256bit, Wrong r integer length (too small) +ECDSA DER -> Raw, 256bit, Wrong r integer length (1 byte smaller than the actual size) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440219111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG -ECDSA DER -> Raw, 256bit, Wrong r integer length (too large) +ECDSA DER -> Raw, 256bit, Wrong r integer length (1 byte larger than the actual size) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440221111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Wrong s integer length (too small) +ECDSA DER -> Raw, 256bit, Wrong s integer length (1 byte smaller than the actual size) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102192222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_LENGTH_MISMATCH -ECDSA DER -> Raw, 256bit, Wrong s integer length (too large) +ECDSA DER -> Raw, 256bit, Wrong s integer length (1 byte larger than the actual size) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102212222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_OUT_OF_DATA +ECDSA DER -> Raw, 256bit, r size 1 byte larger than allowed for output raw coordinate +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_der_to_raw:256:"3045022111111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + ECDSA DER -> Raw, 256bit, r with MSb set depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"3045022100911111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"91111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 @@ -118,6 +134,10 @@ ECDSA Raw -> DER, 521bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ECDSA Raw -> DER, 521bit, Success (integers exactly 521 bits) +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 +ecdsa_raw_to_der:528:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 + # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. # Bit length is rounded up to 528 to be multiple of 8. ECDSA DER -> Raw, 521bit, Success From 0e60e93c12002b1aae6fb77e647b3cfdba64134e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 5 Feb 2024 17:59:42 +0100 Subject: [PATCH 43/53] test_suite_psa_crypto_util: improve ecdsa_der_to_raw() Check that the parsing always fails if the input is truncated. Signed-off-by: Valerio Setti --- .../test_suite_psa_crypto_util.function | 27 ++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index 51f42a7bd..fe811e062 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -58,20 +58,35 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_PSA_UTIL_HAVE_ECDSA */ void ecdsa_der_to_raw(int key_bits, data_t *input, data_t *exp_result, int exp_ret) { - unsigned char *tmp_buf = NULL; - size_t tmp_buf_len = exp_result->len; + unsigned char *in_buf = NULL; + size_t in_buf_len; + unsigned char *out_buf = NULL; + size_t out_buf_len = exp_result->len; size_t ret_len; - TEST_CALLOC(tmp_buf, tmp_buf_len); + TEST_CALLOC(out_buf, out_buf_len); + + /* Verify that parsing of truncated input always fails. */ + for (in_buf_len = 1; in_buf_len < input->len; in_buf_len++) { + /* We alloc a copy of input buffer with limited length so that sanitizers + * can detect overreads. */ + TEST_CALLOC(in_buf, in_buf_len); + memcpy(in_buf, input->x, in_buf_len); + TEST_ASSERT(mbedtls_ecdsa_der_to_raw(key_bits, in_buf, in_buf_len, + out_buf, out_buf_len, &ret_len) != 0); + mbedtls_free(in_buf); + in_buf = NULL; + } TEST_EQUAL(mbedtls_ecdsa_der_to_raw(key_bits, input->x, input->len, - tmp_buf, tmp_buf_len, &ret_len), exp_ret); + out_buf, out_buf_len, &ret_len), exp_ret); if (exp_ret == 0) { - ASSERT_COMPARE(exp_result->x, exp_result->len, tmp_buf, ret_len); + ASSERT_COMPARE(exp_result->x, exp_result->len, out_buf, ret_len); } exit: - mbedtls_free(tmp_buf); + mbedtls_free(in_buf); + mbedtls_free(out_buf); } /* END_CASE */ From d4fc5d9d1c76a6cb978ceb4cc74ec62b111b0007 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 08:42:42 +0100 Subject: [PATCH 44/53] psa_util: allow larger raw buffers in mbedtls_ecdsa_raw_to_der() The only real contraint on the raw buffer is that it is large enough to contain 2 coordinates. Larger buffers are therefore allowed and the extra data will simply be ignored. Note = trying to impose a strict sizing on the raw buffer causes several failures in test suites. This suggests that it is quite common to use larger buffer to store raw signatures. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 2 +- library/psa_util.c | 2 +- tests/suites/test_suite_psa_crypto_util.data | 4 ---- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index a5f09a4f4..9294d29bb 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -188,7 +188,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * * \param bits Size of each coordinate in bits. * \param raw Buffer that contains the signature in raw format. - * \param raw_len Length of \p raw in bytes. This must be + * \param raw_len Length of \p raw in bytes. This must be at least * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. diff --git a/library/psa_util.c b/library/psa_util.c index 674f21b9b..7ce5eea03 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) { + if (raw_len < 2 * coordinate_len) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 7f3f5b50b..f7e6ebace 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -42,10 +42,6 @@ ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) -depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA - ECDSA DER -> Raw, 256bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 From 94c5806a64aa68eac1af9ad25d3b4e302fdae2f4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 15:49:06 +0100 Subject: [PATCH 45/53] suite_psa_crypto_util: make ecdsa_raw_to_der_incremental() more readable Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.function | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.function b/tests/suites/test_suite_psa_crypto_util.function index fe811e062..2d8915e54 100644 --- a/tests/suites/test_suite_psa_crypto_util.function +++ b/tests/suites/test_suite_psa_crypto_util.function @@ -28,12 +28,11 @@ exit: void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_result) { unsigned char *tmp_buf = NULL; - size_t tmp_buf_len = exp_result->len; size_t ret_len; size_t i; /* Test with an output buffer smaller than required (expexted to fail). */ - for (i = 1; i < tmp_buf_len; i++) { + for (i = 1; i < exp_result->len; i++) { TEST_CALLOC(tmp_buf, i); TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, tmp_buf, i, &ret_len) != 0); @@ -42,7 +41,7 @@ void ecdsa_raw_to_der_incremental(int key_bits, data_t *input, data_t *exp_resul } /* Test with an output buffer larger/equal than required (expexted to * succeed). */ - for (i = tmp_buf_len; i < (2 * tmp_buf_len); i++) { + for (i = exp_result->len; i < (2 * exp_result->len); i++) { TEST_CALLOC(tmp_buf, i); TEST_ASSERT(mbedtls_ecdsa_raw_to_der(key_bits, input->x, input->len, tmp_buf, i, &ret_len) == 0); From 2b6a7b37f40c01f63497782525421026ee697f22 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 16:21:44 +0100 Subject: [PATCH 46/53] suite_psa_crypto_util: use 521 bits data and bit-size instead of 528 Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index f7e6ebace..eb205b905 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -125,20 +125,14 @@ depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 512 ecdsa_der_to_raw:512:"308184024011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. -# Bit length is rounded up to 528 to be multiple of 8. ECDSA Raw -> DER, 521bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 -ecdsa_raw_to_der:528:"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 - -ECDSA Raw -> DER, 521bit, Success (integers exactly 521 bits) -depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 -ecdsa_raw_to_der:528:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_raw_to_der:521:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 # 512/521 bit sizes are useful to test sequence's length encoded with 2 bytes. -# Bit length is rounded up to 528 to be multiple of 8. ECDSA DER -> Raw, 521bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 -ecdsa_der_to_raw:528:"30818802421111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:521:"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":0 ECDSA Raw -> DER, 256bit, Incremental DER buffer sizes depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 @@ -150,7 +144,7 @@ ecdsa_raw_to_der_incremental:512:"9111111111111111111111111111111111111111111111 ECDSA Raw -> DER, 521bit, Incremental DER buffer sizes depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 521 -ecdsa_raw_to_der_incremental:528:"911111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"3081890243009111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" +ecdsa_raw_to_der_incremental:521:"011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818802420111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110242012222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222" ECDSA Raw -> DER, 256bit, DER buffer of minimal length (1 byte per integer) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 From 6269f3baf497e3a9b8d5e9d8d40d8a9c4af144f6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 16:55:18 +0100 Subject: [PATCH 47/53] Revert "psa_util: allow larger raw buffers in mbedtls_ecdsa_raw_to_der()" This reverts commit d4fc5d9d1c76a6cb978ceb4cc74ec62b111b0007. Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 2 +- library/psa_util.c | 2 +- tests/suites/test_suite_psa_crypto_util.data | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 9294d29bb..a5f09a4f4 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -188,7 +188,7 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * * \param bits Size of each coordinate in bits. * \param raw Buffer that contains the signature in raw format. - * \param raw_len Length of \p raw in bytes. This must be at least + * \param raw_len Length of \p raw in bytes. This must be * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. diff --git a/library/psa_util.c b/library/psa_util.c index 7ce5eea03..674f21b9b 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (raw_len < 2 * coordinate_len) { + if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index eb205b905..1d170297b 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -42,6 +42,10 @@ ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + ECDSA DER -> Raw, 256bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 From cf81f6997759decd200a8953cd9d3f46f3de447a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 16:57:12 +0100 Subject: [PATCH 48/53] psa_util: smarter raw length check in mbedtls_ecdsa_raw_to_der() Signed-off-by: Valerio Setti --- library/psa_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_util.c b/library/psa_util.c index 674f21b9b..970274e3f 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -413,7 +413,7 @@ int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_l unsigned char *p = der + der_size; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if ((raw_len < 2 * coordinate_len) || (raw_len > 2 * coordinate_len)) { + if (raw_len != (2 * coordinate_len)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } From bb76f80218fa679eff384a1dace645d5faa5774f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 16:57:23 +0100 Subject: [PATCH 49/53] pk_wrap: use proper raw buffer length in ecdsa_sign_psa() Signed-off-by: Valerio Setti --- library/pk_wrap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index c45fbd436..d61a7cbad 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -729,7 +729,7 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, } done: - ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, sig_size, sig, sig_size, sig_len); + ret = mbedtls_ecdsa_raw_to_der(key_bits, sig, *sig_len, sig, sig_size, sig_len); return ret; } From 1810fd9ac8f78be06558b3cdfacc70a9b3ece362 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 Feb 2024 17:02:49 +0100 Subject: [PATCH 50/53] add changelog Signed-off-by: Valerio Setti --- ChangeLog.d/7765.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/7765.txt diff --git a/ChangeLog.d/7765.txt b/ChangeLog.d/7765.txt new file mode 100644 index 000000000..3dd6b5d30 --- /dev/null +++ b/ChangeLog.d/7765.txt @@ -0,0 +1,3 @@ +Features + * Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to + convert ECDSA signatures between raw and DER (ASN.1) formats. From affba30833d7b38d22670ba389fe9b71aaf158a5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 7 Feb 2024 15:03:33 +0100 Subject: [PATCH 51/53] psa_util: update documentation for mbedtls_ecdsa_raw_to_der() Signed-off-by: Valerio Setti --- include/mbedtls/psa_util.h | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index a5f09a4f4..984f03154 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -192,12 +192,13 @@ static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa * PSA_BITS_TO_BYTES(bits) bytes. * \param[out] der Buffer that will be filled with the converted DER * output. It can overlap with raw buffer. - * \param der_size Size of \p der in bytes. Given \p bits parameter: - * * #MBEDTLS_ECDSA_MAX_SIG_LEN(\p bits) can be used - * to determine a large enough buffer for any - * \p raw input vector. - * * The minimum size might be smaller in case - * \p raw input vector contains padding zeros. + * \param der_size Size of \p der in bytes. It is enough if \p der_size + * is at least the size of the actual output. (The size + * of the output can vary depending on the presence of + * leading zeros in the data.) You can use + * #MBEDTLS_ECDSA_MAX_SIG_LEN(\p bits) to determine a + * size that is large enough for all signatures for a + * given value of \p bits. * \param[out] der_len On success it contains the amount of valid data * (in bytes) written to \p der. It's undefined * in case of failure. From ef07fa0fc3a6d0a7ebff1777978a7799678f0bd4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 7 Feb 2024 15:16:45 +0100 Subject: [PATCH 52/53] test_suite_psa_crypto_util: add more test for raw->der Signed-off-by: Valerio Setti --- tests/suites/test_suite_psa_crypto_util.data | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 1d170297b..86f63ab85 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -2,10 +2,6 @@ ECDSA Raw -> DER, 256bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":0 -ECDSA Raw -> DER, 256bit, Raw data too short -depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA - ECDSA Raw -> DER, 256bit, DER buffer too small depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL @@ -38,14 +34,22 @@ ECDSA Raw -> DER, 256bit, r and s only 1 byte of data with MSb set depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"000000000000000000000000000000000000000000000000000000000000009100000000000000000000000000000000000000000000000000000000000000A2":"300802020091020200A2":0 -ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte shorter) +ECDSA Raw -> DER, 256bit, Invalid raw signature (r 1 byte shorter) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA Raw -> DER, 256bit, Invalid raw signature (1 byte longer) +ECDSA Raw -> DER, 256bit, Invalid raw signature (r and s 1 byte shorter) +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA Raw -> DER, 256bit, Invalid raw signature (r 1 byte longer) depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_raw_to_der:256:"1111111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA +ECDSA Raw -> DER, 256bit, Invalid raw signature (r and s 1 byte longer) +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_raw_to_der:256:"111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + ECDSA DER -> Raw, 256bit, Success depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":0 From 1910390b4a819d5eaa582ad4a57483b4278e473f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 7 Feb 2024 16:16:58 +0100 Subject: [PATCH 53/53] psa_util: improve leading zeros check in convert_der_to_raw_single_int() Signed-off-by: Valerio Setti --- library/psa_util.c | 15 +++++++++------ tests/suites/test_suite_psa_crypto_util.data | 16 ++++++++++++---- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/library/psa_util.c b/library/psa_util.c index 970274e3f..fd119bf3d 100644 --- a/library/psa_util.c +++ b/library/psa_util.c @@ -488,18 +488,21 @@ static int convert_der_to_raw_single_int(unsigned char *der, size_t der_len, return ret; } - /* It's invalid to have MSb set without a leading 0x00 (leading 0x00 is - * checked below). */ - if ((*p & 0x80) != 0) { + /* It's invalid to have: + * - unpadded_len == 0. + * - MSb set without a leading 0x00 (leading 0x00 is checked below). */ + if (((unpadded_len == 0) || (*p & 0x80) != 0)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } /* Skip possible leading zero */ - if ((unpadded_len > 0) && (*p == 0x00)) { + if (*p == 0x00) { p++; unpadded_len--; - /* Only 1 leading zero is allowed, otherwise that's an error. */ - if (*p == 0x00) { + /* It is not allowed to have more than 1 leading zero. + * Ignore the case in which unpadded_len = 0 because that's a 0 encoded + * in ASN.1 format (i.e. 020100). */ + if ((unpadded_len > 0) && (*p == 0x00)) { return MBEDTLS_ERR_ASN1_INVALID_DATA; } } diff --git a/tests/suites/test_suite_psa_crypto_util.data b/tests/suites/test_suite_psa_crypto_util.data index 86f63ab85..807007b5e 100644 --- a/tests/suites/test_suite_psa_crypto_util.data +++ b/tests/suites/test_suite_psa_crypto_util.data @@ -110,13 +110,21 @@ ECDSA DER -> Raw, 256bit, Valid s only 1 zero byte depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 ecdsa_der_to_raw:256:"302502201111111111111111111111111111111111111111111111111111111111111111020100":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 -ECDSA DER -> Raw, 256bit, Valid 0-length r +ECDSA DER -> Raw, 256bit, Invalid 0-length r depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":0 +ecdsa_der_to_raw:256:"3024020002202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA -ECDSA DER -> Raw, 256bit, Valid 0-length s +ECDSA DER -> Raw, 256bit, Invalid 0-length s depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 -ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":0 +ecdsa_der_to_raw:256:"3024022011111111111111111111111111111111111111111111111111111111111111110200":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA DER -> Raw, 256bit, Invalid r 2 leading zeros +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_der_to_raw:256:"3027020300000102202222222222222222222222222222222222222222222222222222222222222222":"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA + +ECDSA DER -> Raw, 256bit, Invalid s 2 leading zeros +depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256 +ecdsa_der_to_raw:256:"3027022011111111111111111111111111111111111111111111111111111111111111110203000001":"11111111111111111111111111111111111111111111111111111111111111110000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ASN1_INVALID_DATA ECDSA DER -> Raw, 256bit, Invalid r: MSb set without leading zero depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256